2 Answers
2

If you want to compare the feature-set of your NIDS then I suggest you look at Security Onion, is an awesome Linux distro for IDS (Intrusion Detection) and NSM (Network Security Monitoring). It's currently 32-bit and based on Xubuntu 10.04 and contains Snort, Suricata, Sguil, Squert, Snorby, Bro, NetworkMiner, Xplico and many other security tools. I'd recommend checking out

IMHO, for a NIDS device to be useful, it has to be a NSM. Many NIDS failed because they were simply installed due to some regulation, compliance request or recommendation from a Big-4 consultant (not dissing all Big-4 consultants, some are excellent such as Rory...this regularly happened) and the internal staff managing the NIDS device could barely spell TCP/IP. You have to think of usability:

ease of use

ease of install

ease of understanding

ease of turning the alerts into something human-understandable by management

Security Onion is a complex beast that's been around for 3 years now (I think) so is far from baseline but check it out and take the pre-requisite features. It's also worth installing to see how Doug has implemented his solution. It's been actively used in very large environments so it's definitely relevant for your project.

:-) Thanks Mark - I agree though. If an audit says "you require an IDS" the value is nil if the company just installs one to get a tick in the box. The useful bit is as you describe - it needs to do something which helps mitigate risk otherwise it is just an expensive box that spits out alerts.
–
Rory Alsop♦Aug 13 '12 at 11:14

By definition, that is a NIDS. That may or may not be enough for your project.

What is possibly more important for a real world NIDS is how it is updated, how is is tuned, how it is managed, how it reports on exceptions or alerts etc. Any of the following would be useful in a NIDS.

Updates - using Snort signatures is useful. Is there any heuristic/learning capability

Tuning - how do you train the system, and keep it updated when network topography or usage changes?

Management - is this standalone or part of an array?

Reporting - do you alert on thresholds, likelihoods, or just on a signature match

Also policy update on switch. When you detect the scanner, you can block it on the router so it's blocked from the network completely, or its authentication is rejected on LAN. Also, visual ANALYSER like Snorby, which helps to understand and create new signatures.
–
Andrew SmithAug 13 '12 at 11:19

Managment- Standalone. Reporting- On thresholds and signature match. Alert can be sent to network client program. Logging- All events are logged to file. The source and destination of the offending packet, the violation and time is logged
–
AbiAug 15 '12 at 19:14